b'     ~\n\n     NATIONAL \n\n     ARCHIVES \n\n      OFFICE of\n INSPECTOR GENERAL\n\n     Date           June 28, 2011\n     Reply to\n     Attn of        Office ofInspector General (OIG)\n\n     Subject :      Management Letter 01 11-01: Unsupported\n\n     To         :   David S. Ferriero, Archivist of the United States (N)\n\n                                                                                        F;UI.<V\xc2\xab.,   to share a concern\n                                                                                                                  onNARA\'s\n\n\n\n\n            use\n     NARA\'s continued use of" n C\',,.W\\c.rl.,.ri\n     NARA is taking to replace software ...... ~\'.......    F,   tl,rr\xc2\xb7"\xc2\xb7t..~,rr,,>,,\n\n\n     The purpose ofthis management letter is to\n     claim was substantiated in that we\n                               and the vast maJonty                     to                     use\n                            a result, software updates including critical security updates f r o m _\n     are not       applied to these pes. We found that management in the Office ofInformation\n     Services (NH) I has been aware of this condition for some time and that, while some ~\n     been taken to mitigate the increased risk resulting from this condition, a replacement _\n     _       has not yet been identified. On April 7, 2011, we sent an email message to the Deputy\n     ChleTinformation Officer (DeIO), requesting additional information about this matter. On April\n     13,2011, we received a written response from the DeIO. We have referenced responses to our\n     questions in this management letter where appropriate and have attached a complete copy ofthe\n     DelO\'s response.\n\n\n     I Issues identified in this management letter initially arose prior to the agency-wide reorganization. Thus, a\n     determination was made to employ acronyms and titles which existed at that time.\n\n\n\n NATIONAL ARCHIVES              and\n RECORDS ADMINISTRATION\n\n8601 ADELPHI ROAD. ROOM 1300\nCOLLEGE PARK. MD 20740\xc2\xb76001\n      WIVW.     arehives.go v\n\x0cMajority of workstations connected to the NARA network u s e _ that is no\nlonger supported by the manufacturer\n\n\n\n\nWe u s e d _ a network management tool installed on the NARA\ndetermin~onnected to the network are .\n                   and, if so, how many pes are using\n                 w()rk:sta1ti\'lons connected to NARA\n                     . In fact, as ofJune 13,2011, the\n          rorJk:statl()ns deployed. For these workstatIons,\nhundred and nine (4,709) of the workstations use the unCllt\'\\T\\r,rrp\'"\n                   that two-hundred sixteen\n                    and that two (2) use\n\n.Use of an unsupported operating system increases risk to the ~etWork\'\n\nThe primary concern                                  is that, since pes connected to the NARA\nnetwork are                                       these workstations would no longer receive\nsoftware updates.                                include critical security updates that\nvulnerabilities and can help protect computers f r o m _ and\nAs a result, it has long been accepted in the IT secur~ying v .........,..,                   IS one\nof the most effective ways of reducing the risk of malware incidents and that many instances of\nmalware have succeeded because systems were not patched in a timely manner.\n\nWe u s e d _ to examine the state of patch aPl)ll(;aIlIOn\nnetwork. ~at, in the period leading up to\n           patches that were categorized as\n                 that was released\n                            was apphe to\n                           network and was not applied to fifty-five (55) workstations.\n                            rt..,,,,,,_,,,..-..\xc2\xad of being applied to pes connected to the\n                                                     released the                 to address\n\x0cvulnerability affected PCs                                                                                      did not\nrelease a patch\nwhich this critical\nthirty four (134) PCs connec:IeO     the network. We           iUvUUU,",\'   Tr"urn.\'_"\'\xc2\xb7V .... \xc2\xb7\'lTf\'lnp"\n\n\ncritical                                    in_since\n                                        not ide~stance m               more\n                          connected to the NARA network received the patch.\n\nWe requested information on risk mitigation in our questions to the DCIO. In his response, the\nD~CO  re orted that NH has taken several steps to address the additional risks\'    .\nan                   mitigation strategy, upgrading all public access PCs\nan contmuing to review the matter on a weekly basis. With respect to                           the\nDCJO provided the following information:\n\n    "Since_went out!!!       osu ort,_ critical patches 2 have been released. Since these patches\n    addres~abilities to               , they may not all apply to our environment. NITTSS has a\n    process to review the patc re eases for remediation strategies in our environment. Mitigation\n    strategies have been applied to remediate vulnerabilities for. of the patch releases. Possible\n    workarounds have been identified for" others, but need~e reviewed for business impact\n    before moving forward with the reme~n. The remaining workarounds would have an\n    unacceptable impact to the functionality and NARA is accepting the risk."\n\nNH is considering options for replacing the u n s u p p o r t e d _\n\n\n\nwere UU.~"\'H"\'\'\'\'\n_      as possible replacements for\nWe were also advised that testing\n(meaning that testing would be completed\nrecommendation would be provided to the\n\nNH Management has delayed the selection and deployment of a supported _\n_    because of other priorities\n\n\n\n\n                                 when it was released in\n\n\n2 It should be    that we did not attempt to reconcile the number of critical patches that we identified in our\nexamination                               critical patches) with the number of critical patches reported by the Deputy CIO\nin his response              r - ..... _ .. r Further, we did perform additional research as part of this inquiry into the\nremediation        employed by NH as described in the Deputy CIO\'s response.\n\x0c                                                                                  and received the\n\n\n    "The Office ofInfonnation Services (NH) has a fundamental assumption with regard to\n    managing risk that is outlined in NARA\'s Enterprise Architecture (EA). Specifically,\n\n\n    an               of new technologies ... \' However, NH did consider upgrading    to_\n    Assumption 1 - We will manage IT risk with the rationale being that\' ... NARA prefers a\n    conservative approach to IT system deployment ... \' and \'NARA generally does not want to be\n\n                     as part of the PC refresh project. This was reviewed with the NH TRG on\n                         However, at this point it w a  sill\n                                                          si!enerally\n                                                               !\n                                                                                                 in\n\n                                                                      considered too early to deploy\n                   concerns about the initial release 0          and the impact it would have on\n            our critical business applications because 0     own issues with_"\n\n\n\n\nConclusion\n\n                                       ofPCs connected to the NARA network use the\n                                                  We confinned\n                                     as a       PCs using\n                                  including critical securityUU"UlLv\':>.\n\n\n,do not receive               s are at an increased risk from\n_           We detennined that NH has taken steps to mitiga~e       \'"      \'"",          \'," " \' "\n~iness and effectiveness of an internal remediation process as compared to regular seourity\n updates from            NH                           that they are taking steps to evaluate possible\n                                                but that no decision has been made on a replacement\n                                              evaluation process will not be completed untilII\n                                     !!!\xc2\xa7~~lnelt1t that they have been         . for the replacement\n                                                        for almost             but have delayed the\n                                                                                concerns about the\n\n\nI have referred this issue to my Office of Audit for consideration as part of the audit planning\nprocess. Should you have any questions or require any additional infonnation about this matter\nafter you have had an opportunity to review this management letter, please e-mail me or Ross\nWeiland, AlGI, or call us at (301) 837-3000.\n\n\n\n\n                                                     Paul Brachfeld\n                                                     Inspector General\n\x0cThe attachment to Management Letter OJ 11-01 has been redacted in full.\n\x0c'